Why formal verification remains on the fringes of commercial - - PowerPoint PPT Presentation
Why formal verification remains on the fringes of commercial development Arvind Computer Science & Artificial Intelligence Laboratory Massachusetts Institute of Technology WG2.8, Park City, Utah June 16, 2008 May 27, 2008 L1-1
May 27, 2008 L1-1 http://csg.csail.mit.edu/arvind
Computer Science & Artificial Intelligence Laboratory Massachusetts Institute of Technology WG2.8, Park City, Utah June 16, 2008
May 27, 2008 L1-2 http://csg.csail.mit.edu/arvind
May 27, 2008 L1-3 http://csg.csail.mit.edu/arvind
May 27, 2008 L1-4 http://csg.csail.mit.edu/arvind
Queue Manager Packet Processor Exit functions Control Processor
Line Card (LC)
IP Lookup
SRAM (lookup table)
Arbitration Switch
LC LC LC
A packet is routed based on the “Longest Prefix Match” (LPM) of it’s IP address with entries in a routing table Line rate and the order of arrival must be maintained line rate ⇒ 15Mpps for 10GE
May 27, 2008 L1-5 http://csg.csail.mit.edu/arvind
int lpm (IPA ipa) /* 3 memory lookups */ { int p; /* Level 0: 8 bits */ p = RAM [ipa[31:24]]; if (isLeaf(p)) return value(p); /* Level 1: 8 bits */ p = RAM [ipa[23:16]]; if (isLeaf(p)) return value(p); /* Level 2: 8 bits */ p = RAM [ptr(p) + ipa [15:8]]; if (isLeaf(p)) return value(p); /* Level 3: 8 bits */ p = RAM [ptr(p) + ipa [7:0]]; return value(p); /* must be a leaf */ }
Not obvious from the C code how to deal with
Must process a packet every 1/15 µs or 67 ns Must sustain 4 memory dependent lookups in 67 ns
Memory latency ~30ns to 40ns
Real LPM algorithms are more complex … … … …
28-1
May 27, 2008 L1-6 http://csg.csail.mit.edu/arvind
enter? done?
RAM
yes inQ fifo no
Easy: check it against the C program
Has direct impact on memory cost
Is it even possible to express in a given logic? Alternative: The designer tags input messages and
checks that the tags are produced in order
May 27, 2008 L1-7 http://csg.csail.mit.edu/arvind
Controller Scrambler Encoder Interleaver Mapper Cyclic Extend headers data accounts for 85% area
24 Uncoded bits
Must produce one OFDM symbol (64 Complex Numbers) every 4 µsec IFFT
May 27, 2008 L1-8 http://csg.csail.mit.edu/arvind
Small amounts of testing against the C code
C code may have to be instrumented to capture
the intermediate values in the FIFOs
No corner cases in the computation in
High-confidence with a few correct packets
Still may be worthwhile proving that the (non standard) arithmetic library is implemented correctly
May 27, 2008 L1-9 http://csg.csail.mit.edu/arvind
Designers totally ignore this issue This incorrectness is likely to have no impact on
sales
Who would know?
All these are purely academic questions!
May 27, 2008 L1-10 http://csg.csail.mit.edu/arvind
The standard is 400+ pages of English; the standard implementation is 80K lines of convoluted C. Each is incomplete! Only viable correctness criterion is bit-level matching against the reference implementation on sample videos Parallelization is more complicated than what one may guess based on the dataflow diagram because of data-dependencies and feedback
NAL unwrap Parse + CAVLC Inverse Quant Transformation Deblock Filter Intra Prediction Inter Prediction Ref Frames Compresse d Bits Frames
Errors don’t matter much
May 27, 2008 L1-11 http://csg.csail.mit.edu/arvind
Different requirements for different environments
QVGA 320x240p (30 fps) DVD 720x480p HD DVD 1280x720p (60-75 fps)
Each context requires a different amount of parallelism in different blocks
Modular refinement is necessary Verifying the correctness of refinements requires
traditional formal techniques (pipeline abstraction, etc.)
NAL unwrap Parse + CAVLC Inverse Quant Transformation Deblock Filter Intra Prediction Inter Prediction Ref Frames Compresse d Bits Frames
May 27, 2008 L1-12 http://csg.csail.mit.edu/arvind
Empty Waiting Dispatched Killed Done E W Di K Do
Head Tail V -
V - V -
V - V -
V - V -
V - V -
V - V -
V - V -
V - V -
V - V -
V - V -
V - V 0
V 0 W V 0
V 0 W
V 0 W V 0
V 0 W V -
V - V -
V - E E E E E E E E E E E E V 0
Re-Order Buffer Insert an instr into ROB
Decode Unit Register File
Get operands for instr Writeback results Get a ready ALU instr Get a ready MEM instr Put ALU instr results in ROB Put MEM instr results in ROB
ALU Unit(s) MEM Unit(s)
Resolve branches
Operand 1 Result Instruction Operand 2 State
May 27, 2008 L1-13 http://csg.csail.mit.edu/arvind
UCLID – Bryant (CMU) : OOO Processor hand
translated into CLU logic (synthetic)
Cadence SMV - McMillian : Tomasulo Algorithm
(hand written model. synthetic)
ACL – Jay Moore: (Translate into Lisp) …
Great emphasis (and progress) on automated
decision procedures
BAT[Manolios et al] is a move in the right direction
May 27, 2008 L1-14 http://csg.csail.mit.edu/arvind
May 27, 2008 L1-15 http://csg.csail.mit.edu/arvind
May 27, 2008 L1-16 http://csg.csail.mit.edu/arvind
For example, only 3 CPUs, 2 addresses
May 27, 2008 L1-17 http://csg.csail.mit.edu/arvind
The problem of verification of the actual
Testing cannot uncover all bugs because of
Proving the correctness of cache coherence protocol implementations remains a challenging problem
May 27, 2008 L1-18 http://csg.csail.mit.edu/arvind
Different applications require vastly different formal
and informal techniques
A designer is unlikely to do any thing for the sake of
helping the post design verification